Kubeconfig files store parameters and credentials that are used by Kubernetes clients, such as kubectl, to connect to and authenticate Kubernetes clusters. Kubeconfig files also contain information about clusters, users, namespaces, and the identity authentication mechanism. This topic describes the operations that you can perform to manage kubeconfig files.
Operations
Container Service for Kubernetes (ACK) signs and issues kubeconfig files that contain identity information to Alibaba Cloud accounts, Resource Access Management (RAM) users, or RAM roles. These kubeconfig files can be used to access ACK clusters. The following table describes the operations that you can perform on kubeconfig files in different scenarios.
Based on the shared responsibility model, you are responsible for maintaining the kubeconfig files. Make sure that the kubeconfig files are available and valid. This prevents security risks caused by kubeconfig file leaks.
Operation | Description | References |
Obtain kubeconfig files | You can obtain the kubeconfig file of a cluster to connect to the cluster over the Internet or a private connection. If you do not need to connect to the API server of a cluster for a long period of time, we recommend that you use a temporary kubeconfig file to reduce the security risks caused by kubeconfig file leaks. | Obtain the kubeconfig file of a cluster and use kubectl to connect to the cluster |
Revoke kubeconfig files | RAM users or RAM roles can revoke their kubeconfig files. After a RAM user or RAM role revokes their kubeconfig file, the system automatically generates a new kubeconfig file and binds the new kubeconfig file to the RAM user or RAM role. The revoked kubeconfig file becomes invalid. | |
Delete kubeconfig files | Permission administrators can batch delete the kubeconfig files of clusters, RAM users, or RAM roles managed by them. No new kubeconfig files are generated in this case. Permission administrators can also use the kubeconfig recycle bin to restore kubeconfig files. When an employee resigns or you need to revoke the permissions of an employee, you can use the console or ack-ram-tool to delete the kubeconfig file issued to the employee to mitigate potential security risks. | |
Restore kubeconfig files | You can use the kubeconfig recycle bin to restore kubeconfig files that you accidentally deleted or restore a historical version of a kubeconfig file. |